Maxlas

Maxlas is referenced here only as a possible point of comparison for a previously undocumented Linux botnet operation dubbed SSHStalker. The supporting content states there is strong ecosystem overlap with Outlaw/Maxlas-style playbooks, but no hard attribution. Based on the provided content, the observed operation used automated mass SSH compromise, a Golang SSH scanner disguised as "nmap," on-host compilation of multiple C payloads after installing GCC, and IRC-based command-and-control with redundancy across multiple servers and channels. It used noisy persistence via cron and service/init mechanisms, often operated from /dev/shm, deployed multiple IRC bot variants in C and Perl, included log-cleaning components that tampered with utmp/wtmp/lastlog, maintained a library of Linux 2.6.x-era kernel exploits, and included rootkit-class artifacts, cryptomining tooling, and a web-scanning kit for harvesting exposed AWS credentials. The content also notes Romanian-language or nickname signals and says the playbook resembles Romanian-linked Outlaw/Maxlas-style Linux botnet ecosystems, but explicitly says there were no definitive Outlaw/Dota identifiers and attribution remains unconfirmed, possibly indicating a derivative or copycat operator. Known related naming in the content is limited to Outlaw and Dota as comparison points; no high-confidence sub-groups for Maxlas are established in the provided material.